Back to skill

Security audit

Openapi Docs Generator

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only OpenAPI helper skill with somewhat broad activation wording but no executable, credential, persistence, or data-exfiltration behavior.

Install this if you want an agent helper for OpenAPI or Swagger documentation tasks. Be aware it may activate for broad API or developer-experience wording because implicit invocation is enabled and the trigger examples are loose; invoke it explicitly for best results.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger sentences are generic and partially malformed, making it more likely that normal user requests about APIs, documentation, or workflows will unintentionally invoke this skill. In an agent ecosystem, over-broad activation can route users into the wrong workflow, causing unintended processing, confused delegation, or misuse of downstream capabilities.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad and generic enough to activate the skill for loosely related requests, which can cause unintended routing and execution in contexts the user did not explicitly request. In an agent ecosystem, overbroad invocation increases the chance of prompt-surface expansion, irrelevant capability use, or abuse by embedding these phrases into unrelated prompts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill description and usage guidance are broad enough to activate on common software/API-related requests without tightly constraining when the skill should be selected. Over-broad routing can cause the agent to invoke this skill in mismatched contexts, leading to irrelevant guidance, reduced reliability, or unsafe handling of requests better served by a more specialized skill.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The example trigger sentences use generic phrasing like 'Help me' and 'I need a practical workflow' with only loosely attached domain text, which can match everyday requests and increase accidental invocation. This broadens the skill's effective scope and may override more appropriate skills or produce context-inappropriate outputs.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger keywords are broad and loosely bounded, including generic terms like 'software-and-data', 'openapi', 'swagger', and 'developer experience'. This can cause the skill to activate outside its intended scope, leading to incorrect routing, irrelevant responses, or accidental invocation in contexts where other skills or safer defaults should apply.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The description defines usage conditions in a very general way, covering multiple broad domains and task types without precise boundaries. In practice, this increases the chance of over-triggering the skill for loosely related requests, which can reduce reliability and potentially expose users to inappropriate workflow guidance for tasks outside the skill's intended purpose.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation without any clear trigger constraints or narrowing conditions. This can cause the agent to auto-select the skill in situations only loosely related to OpenAPI work, increasing the chance of unintended prompt routing, over-broad tool use, or abuse through crafted user inputs that opportunistically activate the skill.

Vague Triggers

High
Confidence
92% confidence
Finding
The trigger sentence begins with a very generic phrase ('Help me ...') that can match ordinary user language unrelated to explicit skill invocation. In an agent system, overly broad triggers can cause unintended activation, routing user prompts into this skill when they did not request it, which increases the chance of incorrect tool selection and prompt-scope confusion.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation description uses a broad generic request pattern ('I need a practical workflow for ...') without a constrained scope, making it ambiguous and likely to overlap with many benign requests. This can lead to accidental skill invocation, reducing routing integrity and potentially causing the agent to expose irrelevant instructions or outputs in the wrong context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.